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ABSTRACT 

In  a  phased  mission  the  relevant  system  configuration  (block 
diagram  or  fault  tree)  changes  during  consecutive  time  periods 
(phases).   Many  systems  are  required  to  perform  phased  missions;  a 
classic  example  is  a  spacecraft. 

The  reliability  analysis  of  a  phased  mission  encounters  complexi- 
ties not  present  with  just  one  phase,  but  can  be  transformed  into  an 
analysis  of  an  equivalent  synthetic  single-phase  system.   The  trans- 
formation has  a  potential  for  direct  application,  but  can  also  be  used 
to  study  refined  computational  methods  and  to  derive  approximations 
to,  and  bounds  on,  mission  reliability. 
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1.   INTRODUCTION 

1 . 1   BACKGROUND 

Among  the  various  areas  of  applied  probability  theory  and  statis- 
tics which  jointly  have  become  known  as  reliability  theory,  structural 
reliability   is  the  study  of  qualitative  and  quantitative  relationships 
between  the  reliability  of  (redundant)  systems  and  the  reliability  of 
their  components.   Reliability  in  the  sense  used  here  is  the  "probabi- 
lity of  a  device  performing  its  purpose  adequately  for  the  period  of 

2 
time  intended  and  the  operating  conditions  encountered." 

The  problem  of  constructing  reliable  systems  by  using  relatively 
unreliable  components  redundantly  was  first  studied  by  von  Neumann 
I 1956J ,   Moore  and  Shannon  [1956],  inspired  by  the  von  Neumann  paper, 
analyzed  relay  circuits  in  which  all  relays  have  the  same  reliability. 
They  proved  that  the  reliability  of  the  circuit  is  an  S-shaped  function 
of  the  common  relay  reliability,  and  subsequently  showed  that  by  pro- 
per incorporation  of  redundancy,  arbitrarily  reliable  circuits  can  be 
constructed  from  arbitrarily  unreliable  elements.   Their  analysis  pro- 
ceeded from  a  mathematical  result  which  has  come  to  be  called  the 
"Moore-Shannon  inequality."   Birnbaum,  Esary,  and  Saunders  [1961] 
generalized  the  concepts  and  extended  some  of  the  results  of  lioore 

and  Shannon,  including  the  S-shapedness  property,  ito  the  large  class 
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of  "coherent"  systems,   using  Boolean  functions  to  describe  the  func- 

4 
tional  organization  of  systems.    Esary  and  Proschran  [1963]  further 

extended  the  Moore-Shannon  inequality  to  the  case  <x>f  unequal  component 

reliabilities,  and  obtained  convenient  upper  and  lioower  bounds  on 


system  reliability.   With  the  subsequent  introduction  of  the  con- 
cept of  "system  life"   [Esary  and  Marshall  1964],  a  theoretical  basis 
for  the  reliability  analysis  of  complex  systems  was  complete. 

Recent  and  ongoing  research  seems  to  follow  mainly  two  lines.   On 
one  hand,  the  theoretical  basis  is  broadened,  more  realistic  and  hence 
more  complex  situations  are  considered,  and  attempts  to  do  without 
some  of  the  restrictive  assumptions   presently  required  are  made.   On 
the  other  hand,  approximation  techniques  and  computational  procedures 
are  explored  with  a  view  toward  their  implementation  on  digital  com- 
puters. 

One  specialized  area  of  interest  is  the  extension  of  the  basic 
problem  of  structural  reliability  to  the  situation  in  which  the  func- 
tional organization  of  a  system  changes  with  time.   This  situation, 
called  the  phased  mission  problem,  is  the  topic  of  this  thesis. 

1.2   THE  PHASED  MISSION  PROBLEM 

The  reliability  analysis  of  phased  missions  has  received  attention 
in  the  basic  papers  of  Rubin  [1964]  and  Weisberg  and  Schmidt  [1966] 
which  present  procedures  to  approximately  predict  mission  reliability 
and  crew  safety  for  manned  spacecraft.   These  authors  introduced  a 

Q 

method  of  "cut  cancellation"  which  can  be  advantageously  used  to 
simplify  the  structure  of  a  system  prior  to  beginning  reliability 
calculations.   More  recently,  a  similar  approach  is  described  in  the 

United  States  Navy  reliability  manual  NAVORD  OD  29304  Revision  A 
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[1973],    Muth  [1964],  in  an  unpublished  report,  approached  the 

problem  from  a  different  angle,  concentrating  on  "success  paths." 


The  phased  mission  problem  as  considered  here  refers  to  the 

following  situation: 

A  system  consists  of  several  components.   The  components  perform 
independently  of  each  other,  and  each  of  them  can  be  in  one  of 
two  states,  functioning  or  failed.   No  component  can  be  repaired 
or  replaced,  and  each  component  has  a_   life.    The  system  performs 
a  mission  which  can  be  divided  into  consecutive  time  periods,  or 
phases.   During  each  phase  it  has  to  accomplish  a  specified  task. 
Thus  the  system  configuration  (a  subset  of  the  components  and  their 
functional  organization  which  can  be  represented,  for  instance,  by 
a  block  diagram  or  a  fault  tree)  changes  from  phase  to  phase.   As 
is  the  case  with  individual  components,  only  two  states  of  the 
system  are  recognized,  functioning  or  failed. 

With  this  situation  in  mind,  the  problem  itself  can  be  stated  as: 
Given  the  survival  characteristics  of  the  components,  the  rele- 
vant system  configuration  in  each  phase,  and  the  duration  of  the 
.  phases,  what  is  the  probability  that  the  system  will  function 
throughout  the  mission,  i.e.  the  mission  reliability  for  the 
system? 

The  classic  example  of  a  phased  mission  is  the  voyage  of  a  space 

12 

vehicle,  but  many  other  systems  *  are  also  required  to  perform  phased 

missions.   To  illustrate  the  ideas  and  methods  of  this  thesis,  the 

13 
following  hypothetical  situation   will  frequently  be  considered. 

Example  1.1.   A  fire  department  has  three  vehicles: 

-  a  multipurpose  fire  engine  (M) , 

-  a  tanker  (T) , 

-  a  light  fire  truck  (L) . 
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The  firefighting  equipment  of  a  small  chemical  factory  located 
nearby  consists  of: 

-  a  sprinkler  system  (S) , 

-  a  hydrant  (H) , 

-  a  special  apparatus  for  fighting  chemical  fires  (F) . 
The  plant  safety  engineer  wonders  whether  the  combined  hardware 
resources  of  the  fire  department  and  the  factory  are  sufficient  to 
fight  a  fire  in  the  factory.   He  consults  the  fire  chief,  and  together 
they  conclude: 

(1)  During  the  initial  stage  of  a  fire  either  the  multipurpose 
engine,  which  carries  a  small  water  supply,  or  the  light  truck,  pro- 
vided the  sprinkler  system  works,  suffices  to  evacuate  the  building. 

(2)  To  contain  the  fire  the  factory's  special  apparatus  is 
needed,  together  with  some  auxiliary  capability  from  the  multipurpose 
engine  or  the  light  truck.   Water  can  be  supplied  to  the  special 
apparatus  and  the  department's  units  by  the  hydrant,  or  if  it  is  out 
of  order,  by  the  tanker  through  pumps  in  the  multipurpose  engine. 

(3)  After  the  fire  has  been  contained  it  can  be  controlled 
either  by  the  special  apparatus  or  the  multipurpose  engine.   Again, 
water  can  be  supplied  by  the  hydrant  or  by  the  tanker  together  with 
the  multipurpose  engine.  □ 

The  firefighting  system  described  above  has  six  components,  and 
it  has  to  perform  a  three-phased  mission.   If  it  fails  in  even  one 
of  the  three  phases,  the  mission  is  not  accomplished. 

1.3   SOME  COMPLEXITIES  OF  THE  PHASED  MISSION  PROBLEM 

The  reliability  analysis  of  a  phased  mission  encounters  some 
complexities  which  are  not  present  when  only  one  phase  is  considered. 
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For  one  thing,  it  is  not  correct  to  do  a  standard  reliability 
analysis  for  each  phase  separately,  and  then  multiply  the  resulting 
phase  reliabilities  together,  even  if  the  age  of  the  components  at 
the  beginning  of  each  phase  is  taken  into  account.  The  implicit 
assumption  involved,  that  each  component  is  functioning  at  the  begin- 
ning of  a  phase  when  the  system  has  functioned  throughout  the  previous 
phase,  is  not  necessarily  true.   The  following  example  illustrates 
this  point. 

Example  1.2.   A  system  with  two  independent  components,   C. 
and  C~,   is  designed  for  a  two-phased  mission.   In  order  for  the 
system  to  perform  the  required  tasks,  at  least  one  component  has  to 
function  through  phase  1  and  both  components  have  to  function  through 
phase  2.   The  block  diagram  for  this  system  is 


^L 
% 


phase  I 


phase  2 


For  k=l,2,   let  ir ,  .   denote  the  probability  that  component  C, 
functions  through  phase  1,  and  tt  „   denote  the  conditional  proba- 
bility that  component  C,   functions  through  phase  2,  given  that  it 
has  functioned  through  phase  1.   The  system  reliability  for  phase  1 
is   it.  =  ir-1  +  tt   -  it  tt   ,   and  the  system  reliability  for  phase 
2,  given  that  both  the  components  have  functioned  through  phase  1, 
is   tt„  =  tt-.  „tt„„  .   Multiplying  these  together  v/ould  lead  to  the 
mission  reliability 
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*  =  w1ir2  =  (tt11  +  tt21  -  T11Tr21)w12ir22  . 
This  is  greater  than  the  correct  mission  reliability,  which  is 


p  =  ^11^12^21^22 
since  mission  success  is  achieved  if,  and  only  if,  both  components 

function  throughout  both  phases.  Q 

The  multi-phase  case  is  potentially  different  from  the  single- 
phase  case  in  another  respect.   With  just  one  phase,  if  each  component 

has  a  life  and  the  system  configuration  is  coherent,  then  the  system 

14 
has  a  life.    In  the  multi-phase  case  this  is  not  necessarily  true. 

Even  if  all  components  have  lives  and  all  phase  configurations  are 

coherent,  the  system  may  not  have  a  life.   How  this  can  happen  is 

shown  in  the  next  example. 

Example  1.3.   A  two-component  system  is  designed  for  a  two-phase 

mission  with  the  phase  configurations  represented  by  the  block 

diagram 


-0-  -S- 

phase  I  phase  2 


If   \-»  k=l,2,  j=l,2  are  defined  as  in  Example  1.2,  then  there  is 
a  probability   (1  -  tt,  1  )tt _1  tt^-   that  the  system  fails  in  phase  1,  but 
functions  again  in  phase  2.   In  this  sense  the  system  does  not  have 
a  life.  D 

The  possible  resurrection  of  a  system  in  a  later  phase  does  not 
present  a  problem  in  the  reliability  analysis  of  phased  missions  if 
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it  is  assumed  that  the  life  of  the  system  ends  at  the  time  of  its 
first  failure.   This  assumption  is  reasonable  since  failure  of  the 
system  in  even  one  phase  usually  prevents  mission  success,  and  will 
always  be  made  here.   By  contrast,  the  possible  resurrection  of  a 
component  would  pose  a  much  more  serious  problem,  and  is  ruled  out  by 
the  assumption  that  all  components  have  lives, 

1.4   NON-ANALYTIC  WAYS  TO  EVALUATE  PHASED  MISSIONS 

Traditionally,  the  reliability  of  complex  systems  performing 

multi-phased  missions  has  been  estimated  by  Monte  Carlo  methods.    For 

large  systems,  however,  mission  simulation  and  determination  of  success 

or  failure  are  time-consuming  even  when  digital  computers  are  employed. 

Furthermore,  Monte  Carlo  methods  require  a  great  number  of  simulation 

replications  before  high  confidence  limits  can  be  placed  on  a  narrow 

reliability  band.   It  is  therefore  not  surprising  that  these  methods 

proved  to  be  excessively  expensive  in  terms  of  both,  time  and  money, 

especially  when  parametric  studies  must  be  performed. 

Another  method  of  analyzing  phased  missions  is  by  considering  the 

distinct  combinations  of  component  performances  which  lead  to  mission 

success,  i.e.  the  success  paths..   To  see  how  this  works,  assume  that 

the  system  has   n  components   C.,...,C  ,   and  is  designed  for  an 

1      n 

m-phased  mission.   Let  I        be  the  maximum  number  of  phases  component 
C,   survives,  i   =0,1, , . . ,m,  k=l,...,n.   Each  of  the  n-tuples 
(£.,..,,£  )   then  represents  an  event  which  implies  either  mission 
success  or  failure,  depending  on  the  functional  organization  of  the 
system  in  the  m  phases.   The  probabilities  of  the  events  can  be  com- 
puted from  the  component  survival  characteristics.   Since  the  events  • 
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are  disjoint,  the  probability  of  mission  success,  i.e.  the  relia- 
bility of  the  system  for  the  mission,  is  the  sum  of  the  probabilities 
of  the  success  path  events. 

This  method  is  straightforward  and  could  easily  be  developed  into 
an  algorithm  for  computer  implementation.   In  addition,  it  has  the 
advantage  that  with  a  slight  modification  not  only  the  mission  relia- 
bility but  also  the  probability  of  the  system  to  survive  the  first   j 
phases  of  its  mission,   j=l,...,m,   can  be  obtained.   However,  the 
number  of  n-tuples  to  be  considered,   (m+1)  ,   is  such  that  economic 
reasons  prevent  its  use  even  for  moderately  sized  systems  performing 
only  a  few  phases. 

A  refined  computational  method  based  on  success  paths  was  developed 
by  Muth  [1964]  .   His  approach  consists  of  setting  up  phase  matrices  of 
components  and  success  paths,  and  collapsing  these  matrices  successively 
into  a  single  matrix  which  represents  system  success  at  the  end  of  phase 
j,   j=l,.».,m.   If  the  system  can  be  broken  up  into  many  small  sub- 
systems which  have  no  components  in  common  and  thus  can  be  analyzed 
separately,  this  approach  makes  reliability  computations  feasible. 

1.5   CONTENTS  AND  SUMMARY 

In  this  thesis,  the  phased  mission  problem  is  approached  analytic- 
ally.  The  verbal  statement  of  the  problem  in  Section  1.2  is  translated 
into  mathematical  terms  in  Chapter  2.   The  resulting  model  is  an  equa- 
tion which  relates  mission  reliability  to  the  survival  characteristics 
of  the  components,  the  phase  durations,  and  the  phase  configurations. 
However,  this  equation,  i.e.  2.3.1,  neither  provides  much  insight  into 
the  problem  nor  can  it  easily  be  used  to  obtain  numerical  results. 
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In  Chapter  3  a  transformation  is  exhibited  by  means  of  which 
a  multi-phase  mission  can  be  reduced  to  an  equivalent  synthetic 
single-phase  system.   Direct  applications  of  this  transformation  are 
discussed  in  Chapter  A.   They  include  a  method  to  adapt  existing 
algorithms  and  computer  programs  to  the  calculation  of  exact  mission 
reliabilities,  and  a  technique  to  simplify  phased  mission  problems 
prior  to  beginning  reliability  calculations. 

A  troublesome  byproduct  of  the  transformation  is  an  apparent 
increase  in  the  number  of  components  of  the  system  to  which  it  is 
applied.   This  may  aggravate  computational  problems  and  make  the  cal- 
culation of  the  exact  mission  reliability  infeasible.   Consequently, 
it  may  be  necessary  to  resort  to  approaches  which  require  less  com- 
putational effort.   Chapter  5,  therefore,  is  devoted  to  a  study  of 
bounds  on  mission  reliability.   Several  upper  and  lower  bounds  are 
derived  and  compared  with  each  other,  both  in  terms  of  precision  and 
the  amount  of  computational  effort  required,  and  an  algorithm  for  the 
"best"  lower  bound  is  presented,  ^--An  approximation  technique  which 
has  successfully  been  applied  to  single-phase  systems  is  based  on  the 
approximate  hazard  transform  of  Esary  and  Hayne  [1973] ;  its  potential 
for  the  phased  mission  problem  is  discussed  in  Chapter  6. 

Finally,  possible  extensions  of  the  methods  presented  in  this 
thesis,  and  areas  where  further  research  is  needed,  are  indicated  in 
Chapter  7 . 
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2.   MATHEMATICAL  FORMULATION  OF  THE  PHASED  MISSION  PROBLEM 

The  starting  point  of  an  analysis  of  the  phased  mission  problem 
described  in  Section  1.2  is  a  mathematical  model  which  quantitatively 
relates  the  variables  of  interest  (the  survival  characteristics  of  the 
components,  the  functional  organization  of  these  components  in  the 
various  phases  of  the  mission,  and  the  duration  of  the  phases)  to 
mission  reliability.   Such  a  model  is  developed  here  in  three  steps. 
The  analytic  tools  employed  are  extensions  of  those  used  in  standard 
reliability  analysis.   The  underlying  assumptions  are  made  explicit. 

2.1  A  MODEL  FOR  COMPONENT  PERFORMANCES 

The  system  under  consideration  is  assumed  to  have  n  components, 
labelled  C,  ,...,C  .   Each  component  C   has  a  life,  and  hence  its 
time  to  failure,  or  life  length,  is  well  defined.   Since  it  depends 

on  many  factors  and  cannot  be  predicted  accurately,  it  is  expressed 
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by  a  non-negative  random  variable   T  .   The  assumption   that  the 

components  perform  independently  of  each  other  formally  means  that 

T.,...,T   are  stochastically  independent. 

For  each  component  C   and  all  times  t>0,   let  X,  (t)   be  a 

Bernoulli  random  variable  defined  by 

1  if  component   C    functions  at  time   t, 

xk(t)  = 

0  otherwise. 
The  random  variable  X^(t)   is  called  a  performance  state  indicator 
variable,  and  the  stochastic  process   {X,  (t),t>0}   is  the  performance 
process  of  the  component  C,  .   Since  each  component  has  a  life,  this 
process  has  the  properties: 
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( 


(2.1.1) 


a)  Xk(t)  =  0  <==>  X^s)  =  0,  s  >  t. 

b)  xk(t)  =  1  <==>  X^s)  =  1,  0  <  s  <;  t, 


Thus  a  sample  path  of  a  performance  process  is  non- increasing  and 
continuous  from  the  right,  as  indicated  in  Figure  2.1. 


X  (t)=l 
k 


0- 


*- 


x  (0*0 

K 


t— > 


Figure  2.1.   Performance  process  sample 
path,  component   C,  . 


For  each  t>0,   let   X(t)  =  (X  (t) X  (t))   be  the  performance 

state  indicator  vector  of  the  set  of  components.   Then  the  stochastic 
process   {X(t),t>0}   is  called  the  joint  performance  process  of  the 
components. 

The  joint  performance  process  is  a  mathematical  description  of  the 
component  failure  times,  and  as  such  the  first  step  in  the  development 
of  the  model.   It  is  compatible  with  the  use  of  structure  functions 
to  represent  system  configuration  within  the  phases,  which  is  discussed 
in  the  next  section. 

2.2  A  MODEL  FOR  SYSTEM  CONFIGURATIONS 

It  is  assumed  throughout  this  thesis  that  the  state  of  the  system 
(i.e.  functioning  or  failed)  is  completely  determined  by  the  states  of 
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its  components.     Then  the  system  configuration  in  each  of  the 
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phases  can  be  described  by  a  block  diagram   or  a  fault  tree   for 

conceptual  purposes,  or  by  a  structure  function  for  mathematical 

analysis.   A  structure  function  is  a  binary  function  <J>   of  binary 

variables  x..,...,x   which  relates  the  performance  state  of  the 

system  to  the  performance  states  of  its  components;  in  particular 

<£  (x)  =  <j>  (x. , . . .  ,x  )  =  1   if  the  system  functions,  and   <t>(x)  =  0 

otherwise,   where  x,  =  1  if  component  C,   functions,  and  x,  =  0 

otherwise. 

It  is  further  assumed  that  each  phase  configuration  of  a  system 

22 

is  coherent,    i.e.  can  be  represented  by  a  block  diagram  or  a  fault 

tree  using  AND  and  OR  gates.   If  a  configuration  is  coherent,  then 

23 

its  structure  function  ()>  has  the  properties: 

a)   $  (x)  >  <j)  (y)  whenever  x   >  y  ,  k=l,...,n. 

(2.2.1)     b)   <j)(0)  =  <(»C0 0)  =  0. 

c)   Ml)  =  <K1,...,D  =  1. 

To  illustrate,  a  block  diagram  for  the  mission  described  in 
Example  1.1  is  shown  in  Figure  2.2,  and  a  fault  tree  in  Figure  2.3. 


r  S 

M 

L   - 
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phase  2 
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T 
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H 

phase  3 


Figure  2.2.   Block  diagram  for  the  mission 
of  Example  1.1. 
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control 


containment 
fails 


no  primary 
delivery 


^ 


no  auxiliary 
delivery 


no  water 


Figure  2.3.   Fault  tree  for  the  mission 
of  Example  1.1. 
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The   structure   functions   for    the  system  of   Example   1.1  are: 

for  phase   1,      ^  =  3^  v  XjJtg, 

for   phase   2,      <f>2  =  XpC^C^  v  xL)   v  x^), 

for   phase  3,      4>3   =  x^  v  ^(x.j,  v  xH)  . 

The  symbol  v   is  the  arithmetic  OR  operator,  i.e. 


xx  v  x2  = 


1  if  x  =  1  or  x  =  1, 


0  if  x  =  0  and  x  =  0, 


or  for  computational  purposes,   x..  v  x  =  x..  +  x„  -  x.x„  = 
1  -  (1-X]L)  (l-x2)  . 

The  phase  structure  functions  can  be  combined  with  the  joint  per- 
formance process  to  achieve  a  concise  mathematical  formulation  of  the 
phased  mission  problem. 

2.3  A  COMPLETE  MODEL  FOR  THE  PHASED  MISSION  PROBLEM 

The  mission  is  assumed  to  be  divided  into  m  phases,  and  to 

start  at  time  t=0.   For  j=l,...,m,   the  time  at  which  phase  j   ends 

and,  except  for   j=m,   the  next  phase  begins,  is  denoted  by  t..   The 

structure  function  appropriate  for  phase  j   is  denoted  by  $ . . 

The  event  that  the  system  functions  during  phase   j   can  be 

expressed  as   {<(> .  (X(t .  )  )=1} ,   and  the  event  that  the  system  functions 

throughout  the  m   phases,  i.e. v throughout  the  mission,  as 

{<}>..  (X(t1))=l, .  .  .,<()  (X(t  ))=1}.   The  mission  reliability  for  the  system 
J.  ~   l  m  ~  m  — — *- 

is  the  probability  that  this  event  occurs.   Since   <J).(X(t.)),  j=l,...,m, 
are  Bernoulli  random  variables,  this  probability  can  be  expressed  com- 
pactly by 


21 


(2.3.D      P  =  piTTj.1  ^(xc^))^]  =  e  TTj^+jCxctj)), 

where  E  denotes  expectation. 

Equation  (2.3.1)  is  the  complete  model  for  the  phased  mission 
problem  as  described  in  the  introduction  and  as  qualified  by  the 
assumptions  made,  but  neither  is  it  a  formula  for  practical  reliability 
calculations  nor  does  it  provide  much  insight  into  the  problem.   It 
does,  however,  indicate  that  the  sequential  operation  of  the  phase 
configurations  to  some  extent  resemble  the  operation  of  subsystems 
performing  in  series.   This  fact,  is  essential  in  transforming  the 
phased  mission  problem. 
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3.   TRANSFORMATION  OF  THE  PHASED  MISSION  PROBLEM 

Complexities  in  the  reliability  analysis  of  phased  missions  arise 
because  a  component's  performance  in  one  phase  is  not  stochastically 
independent  of  its  performance  in  any  other  phase.   The  dependence, 
however,  is  of  a  special  type.   A  component  functions  in  phase  j   if, 
and  only  if,  it  has  previously  functioned  in  phase  1,  and  in  phase  2, 
...,  and  in  phase  j-1,   and  then  functions  in  phase  j.   This  sequence 
of  requirements  suggests  that  the  performance  of  a  component  in  phase 
j   can  be  represented  by  a  series-like  structure  whose  elements  repre- 
sent its  performance  in  phases  l,...,j. 

3.1  THE  TRANSFORMATION 

Suppose  that  component  C   is  replaced  in  phase  j   by  a  system 
of  components   C,  ,,..., C,  . ,  performing  independently  and  in  series. 
In  block  diagram  format,  the  block 


-Ej- 


is  replaced  in  phase  j   by  the  system 


-ED-E2---Q- 


In  fault  tree  format,  the  input  event  C,   (failure  of  component  C,  ) 
is  replaced  in  phase  j   by 
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Let  U   ,  ...,U,  .   be  independent  performance  state  indicator 
variables  for  the  components  C,  ..,..., C,  .,  with 


p[ukl=i]  =  PlX^t^l] 
(3.1.1) 

P[Uki=l]  =  P[Xk(ti)=l|Xk(t._1)=l],  i=2,...j. 

Then  P[Xk(t.)=l]  =  p[ukluk2---uk-=1^  and  thus 

W  =stukiuk2---\r 

st 
where  =    means  "is  stochastically  equal  to"  or,  less  formally, 

"has  the  same  distribution  as."  Thus  the  original  component  and  the 

substituted  system  have,  as  of  the  end  of  phase  j,   the  same 

reliability. 

The  preceeding  observations  suggest  that  a  transformation  of  the 

phased  mission  problem  can  be  accomplished  by 

a)  Replacing,  in  the  configuration  for  phase  j,   j=l,...,m, 
component   C,  ,  k=l,...,n,   by  a  series  system  in  which  the 
components  C, -,..., C,  .   perform  independently,  with  the  pro- 
babilities of  functioning  given  in  (3.1.1). 

b)  Considering  the  transformed  phase  configurations  to  be  sub- 
systems which  operate  in  series. 
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The  resulting  new  system,  which  has  (at  most)   n*m   independent 
components,  is  the  equivalent  system.   As  will  be  shown  later,  the 
ordinary  reliability  of  the  equivalent  system  is  the  same  as  the 
reliability  of  the  original  system  for  its  phased  mission. 

The  block  diagram  for  the  equivalent  system  arising  out  of  Example 
1.1  is  given  in  Figure  3.1.   A  comparison  with  the  block  diagram  for 
the  phased  mission  shown  in  Figure  2.2  illustrates  how  the  transforma- 
tion is  implemented. 
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Figure  3.1.   Equivalent  system  for  the 
mission  of  Example  1.1. 
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3.2   SOME  PROPERTIES  OF  THE  EQUIVALENT  SYSTEM 

Two  important  properties  of  the  equivalent  system  are  that  it 
performs  just  one  phase,  and  that  it  is  coherent.   The  former  is  a 
direct  consequence  of  step  (b)  of  the  transformation.   To  obtain  the 
latter,  note  that  by  step  (b)  of  the  transformation  the  equivalent 
system  is  a  series,  and  hence  coherent,  structure  of  subsystems  which 
themselves  are  coherent  structures  by  assumption;  their  elements  are, 
from  step  (a)  of  the  transformation,  series  systems  of  components. 

The  result  then  follows  from  the  fact  that  a  coherent  structure  of 

24 
coherent  structures  is  coherent. 

These  two  properties  together  with  the  assumption  that  all  com- 
ponents in  the  original  system  -  and  hence  all  components  in  the 

equivalent  system  -  have  lives  imply  that  the  equivalent  system  has  a 

25 
life.    Thus  the  potential  difficulties  mentioned  in  the  introduction 

and  illustrated  in  Example  1.3  cannot  occur  in  the  equivalent  system. 

By  contrast,  another  one  of  the  difficulties  of  phased  missions 
mentioned  in  the  introduction  does  not  disappear  in  the  equivalent 
system.   Although  the  m  phase  configurations  operating  in  sequence 
in  the  phased  mission  become  m  subsystems  operating  in  series  in  the 
equivalent  system  -  a  fact  which  simplifies  the  problem  considerably  - 
the  subsystems  usually  have  components  in  common   and  do  not  function 
independently.   Hence  the  product  of  the  subsystem  reliabilities  is  in 
general  not  equal  to  the  reliability  of  the  equivalent  system,  as  is 
illustrated  by  the  following  extension  of  Example  1.2. 

Example  3.1.   For  the  mission  described  in  Example  1.2,  the 
equivalent  system  has  the  block  diagram 
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stem 

1 

subsystem  2 

Letting      tt      ,    k=l,2,    j=l,2,      be  as  defined    in  Example   1.2,    and 
Pkl=7Tkl'    Pk2=1Tkl1Tk2'    k=1»2»      the   subsystem   reliabilities   are 


Pl  "  *!!  +  ^21  "  1I111T21  =  pll  +  p21  ~  pllp21> 


P2  -  ir1^12ir21ir22  =  P12P22. 


Their  product     p1p2      is,    except   in   trivial  cases,    less   than  the   true 

system  reliability     p  =  *  ^  12*  2\?  22  =  p12p22     which  can  be  found   by 
reducing  the  block  diagram  to   its   simplest   form 


II 


21 


22 


The  true  reliability  for  the  equivalent  system  does  agree  with  the 
reliability  for  the  phased  mission  given  in  Example  1.2.  Q 

3.3  MATHEMATICAL  FORMULATION  OF  THE  TRANSFORMED  PROBLEM 

The  transformed  version  of  the  phase  j   configuration  functions 

if  the  event   {cf,  (U(1)U(2)  .  .  .U(j  })=1}   occurs,  where  U(i)  =  (U   ,  .  .  .  ,U   ) 

J  ~   ~  ~      li'    »  ni  ' 

and  U   U   =^UiiUik»'  •  -»UniUnk^"   The  e1uivalent  system  functions  if 
the  event 
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Ul(u(1)>  -  i,  ♦2<u<1)u«>)  -  i,...,vW(1V2>. ..«.<->)  .  i) 


occurs.   Thus  the  reliability  of  the  equivalent  system  is 

P  =  p[TTj>j(u(1)u(2)...u(J))  =  i] 

(3.3.1) 

m  ,  ,..(1)„(2)   _(J), 


-B  ii;j.(u^uw...u^^) 

I  'j=lTJ  ~ 


3.4   RELIABILITY  EQUIVALENCE  OF  THE  ORIGINAL  AND  THE  EQUIVALENT  SYSTEM 
It  remains  to  establish  that  the  reliability  of  the  equivalent 

system  agrees  with  the  mission  reliability  of  the  original  system,  i.e. 

that   p   as  given  by  (3.3.1)  agrees  with  p  as  given  by  (2.3.1).   This 

is  done  by  the  following  theorem  and  the  subsequent  remarks. 

Theorem  3.1.   Let  X  , . . .  ,X   be  a  non-increasing  sequence  of 

Bernoulli  random  variables,  i.e.   X..>X  >...>X  .   Let  D......D   be 

12      m         I'm 

independent  Bernoulli  random  variables  with 


PD^-i]  =  PlXj-i], 

P[U  =1]  =  P[X  =1  |X   -,_=!],  j=2,...,m. 


Then  Xn , . . . ,X  =St  Un ,UnU„ , . . . ,U.U„ . . .U  . 
1'    'm      112      12    m 

Proof .   It  is  only  necessary  to  show  for  each  non-increasing 

binary  sequence  x..  >x„^.  .  .>x  ,   x.=0   or  1,   j=l, . . . ,m,   that 

PIX,^.,...^  =x  ]  =  P[U  =x.  ,U-U.=x0,...,U1U_...U  =x  ]. 
11      mm       11'  12   2'    '12    mm 


For  the  sequence  x,=0,  x  =0,...,x  =0, 

12        m 


P[X  =0,...,X  =0]  =  P[X  =0]  =  P[U  =0] 
1        m         1         i 


=  piu^o.u^o,  . . .  ,uxu2. .  .um=o] 
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For  the  sequence  x  =1,  x2~l, . . . ,Xm~l, 

PIV1 V11  =P[Xm=1lXm-r1]'" 

...P[X2-1 13^=1]  P[XX=1] 

=  P[U  =1] . . .P[U,=1]  P[U  =1] 

=p[u1=i,u1u2=i, . . . ,uxu2. . .um=l] . 

For  any  other  sequence  x  =1,  j=l,...,Jl,  x  =0,  j=«,+l,  .  .  .  ,m, 

p[x1=i,...,xfi,xjl+1=o,...,xm=o] 

=  P[Xm=0,...)Xjl+1=0|Xrl,...,X1=l]  PtX^l,...^!] 
=  p[xi+1=o|xA=i]  PtX^l,...^^] 

=  PlVi=0]  p[v1,,",ui'1] 

=  p[u1=i,...,uJl=i,u£+1=o] 

=  pfu^i.u^-i, . . .  »u1u2. .  -uA=i, 

ur--uA+i=0"-"uiu2"-V0]-  D 

From  (2.1.1)  the  sequence  of  variables  X^t^  , .  . .  ,Xfc(tm)  ,   which 
indicate  the  performance  of  component  Ck  at  the  end  of  each  phase, 

is  non- increasing.   Thus  for  U^ U^  constructed  according  to 

(3.1.1), 

xk(t1),xk(t2),...,xk(tm)  =st  ukrukluk2,...,ukluk2...ukm. 
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Then,  since  component  failure  times,  and  consequently  performance 
processes,  are  independent, 

l(tx) ,x(t2) .... ,x(t.>  ==<  «<» .» (1)u <2) «a¥2)  •  •  .»w • 

Since  the  event  "success  in  the  phased  mission"  occurs  if  <)>..  (X(t.))=l, 

j=l,...,m,   and  the  event  "functioning  of  the  equivalent  system"  occurs 

if  6  (U(1)U(2)...U("))=1,  1=1 m,   then  these  two  events  are 

j  ~ 

stochastically  equivalent.   Thus   p   as  given  by  (2.3.1)   agrees  with 
p  as  given  by  (3.3.1). 
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4.   DIRECT  APPLICATIONS  OF  THE  TRANSFORMATION 

The  transformation  described  in  Chapter  3  can  be  used  to  obtain 
results  for  the  phased  mission  problem  which  are  of  theoretical  and 
practical  interest.   Two  of  these  are  discussed  below. 

4.1   CALCULATION  OF  THE  EXACT  MISSION  RELIABILITY 

27 
Several  computational  methods   are  known  for  the  numerical 

evaluation  of  system  reliability  in  the  single-phase  case.   Based  on 

28 
them,  computer  programs   for  reliability  analyses  have  been  developed. 

The  transformation  provides,  in  principle,  a  way  to  adapt  these  methods 
and  programs  to  the  calculation  of  mission  reliabilities  in  the  multi- 
phase case.   The  necessary  inputs  are  the  phase  configurations  and, 
phase  by  phase,  the  conditional  probabilities  that  the  components  sur- 
vive the  phase,  given  that  they  have  survived  the  previous  phases,  i.e. 
the  conditional  component  phase  reliabilities 


(4.1.1) 


"ki^W^- 


TTkj  =  P[Xk(tj)=l|Xk(tj_1)=l],  j=2,...,m, 


k=l,...,n.   From  (3.1.1)  the  conditional  component  phase  reliabilities 
are  the  reliabilities  of  the  components  in  the  equivalent  system. 
Computer  programs  could  be  adapted  to  accomplish  steps  (a)  and  (b)  of 
the  transformation  internally,  and  then  to  find  the  reliability  of  the 
equivalent  system  which  by  Theorem  3.1  is  the  mission  reliability  for 
the  original  system. 

Theoretically,  this  approach  eliminates  all  difficulties  inherent 
in  the  phased  mission  problem,  because  it  reduces  the  reliability 
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analysis  of  a  system  performing  a  multi-phase  mission  to  the  standard 
reliability  analysis  of  a  single-phase  system.   It  may,  however,  not 
always  be  a  practical  or  an  efficient  approach.   Realistic  systems 
usually  have  so  many  components  to  start  with  that  when  the  transfor- 
mation is  performed  with  its  concomitant  increase  in  the  number  of 
components  in  the  equivalent  system,  the  costs  -  in  terms  of  computer 
time  and  memory  -  of  calculating  exact  mission  reliabilities  are 
excessive.   Frequently  this  is  the  case  even  for  single-phase  missions. 
Most  existing  reliability  analysis  programs  therefore  are  designed  to 
provide  only  approximations  to  system  reliability,  and  it  is  not 
always  clear  whether  such  an  approximation  is  conservative  or  optimistic. 
Thus  the  direct  approach,  i.e.  applying  the  transformation  and  then 
using  an  existing  computer  program,  is  not  necessarily  the  best  solu- 
tion to  the  phased  mission  problem. 

Different  approaches  to  the  assessment  of  mission  reliability  which 
avoid  some  of  the  problems  mentioned  above  will  be  discussed  in  Chapters 
5  and  6,  after  an  additional  direct  application  of  the  transformation 
has  been  presented. 

4.2  THE  CUT  CANCELLATION  TECHNIQUE 

The  transformation  can  provide  a  simple  rationale  for  the  cut 
cancellation  technique  of  Rubin,  Weisberg,  and  Schmidt.   Conversely, 
cut  cancellation  can  result  in  an  advantageous  simplification  of  the 
earlier  configurations  of  a  phased  mission,  prior  to  any  implementation 
of  the  transformation. 

For  instance,  the  sequence  of  phase  configurations  in  Example  1.2 
turned  out  to  have  the  mission  reliability  p  -  tt  tt  ^tt^i  1T??  *   Using 
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notation  introduced  in  Example  3.1,  i.e.  defining  the  (unconditional) 

component  reliability   p  .   as  the  probability  that  component   C 

kj  k. 

survives  from  the  beginning  of  the  mission  through  the  end  of  phase  j, 
(4.2.1)  pkj  =  P[Xk(t.)=l]  =  TTiix^.  3=1. 


,m, 


k=l,...,n,   this  mission  reliability  can  be  written  as  p  =  pp. 
The  sequence  of  phase  configurations 


-^5H^ 


phase  I  phase  2 


has  the  same  mission  reliability.   In  Example  1.2  the  only  minimal 
cut  set  in  phase  i,   {C.,C„},   contains  the  phase  2  cut  sets   {C,  } 
and   {C_}.   Thus  {C.,C_}   can  be  "cancelled"  in  its  phase,  leaving 
a  configuration  which  can  never  fail. 

The  minimal  cut  sets  of  a  (coherent)  system  are  the  minimal  (in 
the  sense  of  set  inclusion)  combinations  of  components  which  by  all 
failing  cause  the  system  to  fail.   Every  coherent  system  can  be  viewed 

as  a  series  structure  of  subsystems,  each  of  which  consists  of  the 

29 

components  in  a  minimal  cut  set  acting  in  parallel.    Equivalently, 

the  configuration  of  every  coherent  system  -  and,  in  the  context  of  the 
phased  mission  problem,  every  phase  configuration  -  can  be  described 
by  a  complete  list  of  its  minimal  cut  sets. 
The  rule  for  cut  cancellation  is: 

A  minimal  cut  set  in  a  phase  can  be  cancelled,  i.e. 
omitted  from  the  list  of  minimal  cut  sets  for  that 
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phase,  if  it  contains  a  minimal  cut  set  of  a 
later  phase. 
A  slightly  more  typical  illustration  of  how  cut  cancellation  works 
is  given  in  the  following  example. 

Example  4.1.   A  mission  has  the  phase  configurations 


-m- 


5 


phase  I 


—  — f£ 


phase  2 


The  minimal  cut  sets  are:     in  phase  1  {C.  }  {C  ,C„}, 

in  phase  2   {C2>  {C  ,C3). 
The  phase  1  cut  {C„,C„}  contains  the  phase  2  cut  {C_},   and  so  can 
be  cancelled  in  phase  1.   No  cancellation  results  from  the  fact  that 
the  phase  2  cut   {C.  ,C„}   contains  the  phase  1  cut   {C.  }  because  cut 
cancellation  is  not  a  symmetric  procedure. 

After  cancellation  the  sequence  of  phase  configurations  reduces  to 


phase  I 


—  C, 


phase  2 
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It  is  easy  to  verify  that  both  sequences  lead  to  the  same  mission 

reliability  by  comparing  their  equivalent  systems.  Q 

The  use  of  cut  cancellation  is  justified  by  the  theorem  below. 

In  its  proof,  the  symbol  V  is  the  repeated  OR  operator;  for  binary 

variables  x, , . . . ,x  , 
1      n 

,7  n 

V.  nx.  =  x,  v  x„  v.  .  .v  x  , 
k=l  k    1    2        n' 

or,  for  computational  purposes, 

vk=ixk  =  1-TTk=1(1-V- 

Theorem  4.1.   Cut  cancellation  does  not  affect  mission  reliability. 

Proof .   Assume  without  loss  of  generality  that  a  system  performing 

a  phased  mission  contains  a  minimal  cut  set   {C......C  ,C  ,,,..., C  } 

t-  1'    '  r'  r+1'    '  s 

in  the  configuration  of  phase  h,   and  a  minimal  cut  set   {C, ,...,C  } 
in  the  configuration  of  phase   i,  i>h.   From  (3.3.1)  the  reliability 
of  the  equivalent  system  is,  in  shorthand  notation, 

p  =  E  d>,  <b„ . .  .d>,  ...d)....d>  . 
r  TlT2   Th    x    m 

Let  <j>,   and  <j> .   denote  the  structure  functions  of  the  subsystems 
that  remain  when  the  above  minimal  cut  sets  are  omitted  in  the  trans- 
formed configurations  of  phase  h  and   phase   i,   respectively.   Then 

*h  =  *n*<\=JTAV' 
(A. 2. 2) 

♦  .  =  *"*(v,r1TT-i1u1  •)• 

i    i   k=l ' ' j=l  kj 
The  reliability  can  now  be  expressed  as 
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p  =  e  *1*2...V(vk:iTTj=1\j)---V(\=iTTji1\j)..-*m 

-  E  ^2...*;...*^..c^=iTTj=1\j)cvkyTji1\j). 


By  the  laws  of  Boolean  algebra, 
s  tt  h 


Therefore, 


-'wTTjliV 

p-E*1*2...*-...*-*(vlc[1TT>1\j)-.-v 


12        Th  i        Tnr 

i.e.  the  minimal  cut  set  can  be  omitted  from  the  transformed  configura- 
tion of  phase  h  without  changing  the  reliability  of  the  equivalent 

30 
system.     The  result  then  follows  from  Theorem  3.1.  Q 

Remark  4.2.   An  even  stronger  result  than  Theorem  4.1  can  be 

achieved.   If  (as  henceforth  will  be  done)  ti> .      is  used  to  denote  the 

J 

structure  function  of  the  phase  j   configuration  after  cut  cancellation 
has  been  performed  to  the  greatest  possible  extent,   j=l,...,m,   then 
by  an  argument  along  the  lines  of  the  proof  above  it  can  be  shown  that 


although  it  follows  from  (4.2.2)  that  for  j=l,...,m, 


(4.2.4)  d>.  >  A., 

J    J 

and  strict  inequality  may  hold  in  (4.2.4)  for  all   j   except   j=m.  D 
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As  a  final  illustration  of  the  cut  cancellation  technique,  con- 
sider its  effect  on  the  mission  described  in  Example  1.1.   The  minimal 
cut  sets  for  this  mission  are,  before  cancellation: 
in  phase  1   {M,L}  {M,S} 
•   in  phase  2   {F}  {H,M}  {H,T}  {M,U 
in  phase  3   {F,M}  {H,M}  {H,T} 
The  minimal  cut  sets  remaining  after  cancellation  are: 
in  phase  1   (M,S> 
in  phase  2   (F>  {M,L} 
in  phase  3   {F,M}  {H,M}  {H,T} 
A  block  diagram  for  the  sequence  of  simplified  phase  configurations 
is  shown  in  Figure  4.1. 


phase 


phase  2 


H^h 


T 


phase  3 


Figure  4.1.   Block  diagram  for  the  mission  of 

Example  1.1  after  cut  cancellation. 

After  cancellation,  the  transformation  can  be  applied  to  obtain 

the  equivalent  system  shown  in  Figure  4.2.   This  system  is  considerably 

simpler  than  the  one  shown  in  Figure  3.1,  but  has  the  same  reliability. 
Reliability  computations  are  simplified  accordingly. 
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Figure   4.2.      Equivalent    system  for   the  mission 
of  Example   1.1,    after   cancellation. 
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5.   BOUNDS  ON  MISSION  RELIABILITY 

In  Section  4.1  it  was  shown  how  the  transformation  can  be  used 
directly  for  the  calculation  of  exact  mission  reliabilities;  it  was 
also  pointed  out  why  this  approach  may  be  problematic.   In  this 
chapter,  bounds  on  mission  reliability  are  studied.   Bounds  require 
less  computational  effort  than  the  exact  reliabilities  and,  although 
not  necessarily  precise,  often  suffice  for  the  purpose  at  hand. 

5.1   BOUNDS  BASED  ON  PHASE  RELIABILITY  FUNCTIONS 

A  tempting  procedure  to  approximate  mission  reliability  is  to 

31 
deliberately  commit  what  was  shown   to  be  a  logical  error  when  trying 

to  find  exact  reliabilities,  namely  to  compute  the  reliability  of  each 

phase  configuration  separately,  and  then  to  multiply  the  results 

together.   There  are  at  least  two  choices  of  component  reliabilities 

to  use  in  doing  this:   the  conditional  component  phase  reliabilities 

ii,  .   given  in  (4.1.1),  or  the  (unconditional)  component  reliabilities 

p,  .   given  in  (4.2.1).   The  first  choice  leads  to  estimating  mission 

reliability  by 

(5.1.D  tt^  =  TTj^y^,...,^), 

and  the  second  choice  to  estimating  mission  reliability  by 

(5.1.2)        PpRF  =  TTj!1hj(plj.....Pnj), 

where  in  both  cases  h.,  j=l,...,m,   are  the  reliability  functions  for 

32 
the  phase  configurations.     The  reliability  function  of  a  system  with 

structure  function  <{>   is  defined  by 
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h(Pl pn)  =  P[4»(X1,...,Xn)=l]  =  EMX1,...,Xn), 

where  X  ,...,X   are  independent  performance  state  indicator  variables 

with  P[Xk=l]  =  pk,  k=l,...,n. 

The  following  theorem  shows  that  (5.1.1)  gives  an  optimistic 

result  (cf .  Example  1.2),  i.e.  is  an  upper  bound  on  mission  reliability, 

and  that  (5.1.2)  gives  a  conservative  result  (cf.  Example  3.1),  i.e. 

is  a  lower  bound . 

Theorem  5.1.   For  ^■nri-n     as  given  by  (5.1.1),   pDDr  as  given 
rRr  rKr 

by  (5.1.2),  and   p   as  given  by  (2.3.1)  or  (3.3.1),  ppRp  <  p  <  7rpRF  . 

Proof .   The  coherent  phase  configurations  have  non-decreasing 

structure  functions  from  (2.2.1),  and  U   ,  .  .  .  ,JJ  are  independent 
by  construction.   Thus 

e  TTj:i*j(u(1)u(2)...u(j))  -<  e  TTj^o^) 

(5.1.3)  _  TT  m    /TT(j). 


TTjWu     > 


so  that  p  ^  t  ~  from  (3.3.1)   and   (5.1.1). 
PRr 

33  34 

The  proof  that   p    £  p  uses  standard  properties   of  associatecT 

random  variables.   Since  U,  . ,  k=l,...,n,  j=l, . . . ,m,   are  independent 

and  thus  associated,  and   cj> . ,  j=l,...,m,   are  non-decreasing,  then 

<}> .  (U   U    ...U    ),  j=l,...,m,   are  associated.   Therefore  the  inequality 

J  ~   ~      ~ 

holds,  so  that   p_,__  <  p  from  (3.3.1)  and  (5.1.2).  □ 

rKr 
The  method  of  approximating  mission  reliability  described  above 

can  also  be  employed  after  cut  cancellation  has  been  performed.   Denoting 

the  phase  reliability  functions  of  the  simplified  phase  configurations 


hO 
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by   h  »  j=l,...,m,   the  resulting  approximations   corresponding  to 

"PRF   and   PPRF   are 

(5.1.4)  ttprf_cc  =  TTj^h'U^,...,^) 

and 

(5.1.5)  p       _  TT  m  - 


PRF-CC  =  TTj=1hJ(plj,...,Pnj>. 


respectively.   Again,   ^pRp.cc  gives  an  optimistic,  and  PpRF_cc  a 
conservative  result,  as  is  shown  in  the  next  theorem. 

Theorem  5.2.   For   ^p^p..^   as  given  by  (5.1.4),  Pp^p_QC      as 
given  by  (5.1.5),  and   p  as  given  by  (2.3.1)  or  (3.3.1),   PpRp_cc  - 

D  ^  IT         . 

V  PRF-CC 

Proof.   The  phase  structure  functions  are  greater  after  cut  can- 
cellation than  before  from  (4.2.4);  thus 

so  that  p  £  tt-dt,^  nn     from  (3.3.1),  (5.1.3),  and  (5.1.4). 

The  <f>  ,  j=l,...,m  are  non-decreasing,  and  therefore  the  same 

3fi 
properties  of  associated  random  variables  used  before   lead  to  the 

inequality 

TT.mnE4»T(u(1)u(2)...u(j))  <  e  n.m  *T(u(1)u(2)...u(j)). 

1  '3=1   j  ~  ~  'j=l  J  ~ 

The  equivalent  system  has  the  same  reliability  before  and  after  cut 
cancellation  by  Theorem  4.1,  i.e. 

e  TTj;i^(H(1)H(2)---H(j))  =  E  TTj:i*JCD(1)n(2)...u^))> 

so  that  PpRF_cc  ^  P  from  (3.3.1)  and  (5.1.5).  D 
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The  four  bounds  presented  so  far  all  presuppose  that  the  phase 
reliability  functions  h   or  h   are  known  for  all  m  phases. 
Although  to  compute  them  is  considerably  easier  than  to  compute  the 
reliability  function  for  the  complete  equivalent  system,  it  may  still 
be  a  formidable  task.   In  the  following  section,  therefore,  bounds 
are  studied  which  do  not  involve  the  phase  reliability  functions. 

5.2   BOUNDS  BASED  ON  PHASE  BOUNDS 

For  coherent  single-phase  systems  with  independent  components, 
Esary  and  Proschan  [1963]  have  established  two  bounds  on  system 
reliability  which  can  be  computed  without  a  knowledge  of  the  reliability 
function.   In  one  case,  the  system  is  expressed  as  a  series  structure 
of  subsystems  each  of  which  consists  of  the  components  in  a  minimal 
cut  set  acting  in  parallel.   The  reliabilities  of  all  subsystems  are 
calculated  separately  and  then  multiplied  together,  the  result  being 
the  minimal  cut  lower  bound .   In  the  other  case,  the  system  is  expressed 
as  a  parallel  structure  of  subsystems  each  of  which  consists  of  the 
components  in  a  minimal  path  set  acting  in  series.   Again,  the  subsystem 
reliabilities  are  calculated  separately,  and  then  the  reliability  of 

the  system  is  computed  as  if  the  subsystems  were  independent,  resulting 

37 
in  the  minimal  path  upper  bound .     (The  minimal  path  sets  of  a  coherent 

system  are  the  minimal,  in  the  set  inclusion  sense,  combinations  of 

components  which  by  all  functioning  ensure  the  functioning  of  the  system.) 

These  two  bounds,  when  applied  to  each  phase  separately,  can  be 

used  to  approximate  mission  reliability  in  the  multi-phase  case.   Let 

h..R.   and   hrR-   denote  the  minimal  path  upper  bound  and  the  minimal 

cut  lower  bound,  respectively,  for  phase  configuration  j,  j=l,...,m. 

Using  basically  the  same  approach  as  before,  and  choosing  as  component 
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reliabilities  the  conditional  component  phase  reliabilities   tt,  . 

in  one  case  and  the  (unconditional)  component  reliabilities   p, 

38 
in  the  other,  one  obtains  the  approximations 


(5.2.D  ttpub  =  TTj=1iHJBj(*lj>.-.,vj) 

and 

(5'2-2)  PPLB  =  TTj-lVl(PlJ pnj); 


which  by  the  following  theorem  are  bounds  on  mission  reliability. 

Theorem  5.3.   For   t1   R  as  given  by  (5.2.1),  p     as  given  by 
(5.2.2),  and  p  as  given  by  (2.3.1)  or  (3.3.1),   ppLB  <  p  <  TpUB- 

Proof.   The  phase  configurations  are  coherent,  thus  hyR-  -  h.  < 
b-TTT,.,  j=l>''-»mj   by  construction,  and  the  inequalities 

(5.2.3)  IT.    nh.  (it,  . ,  . . .  ,tt    .)    i     T.    .h,TT,.  Or,  ., . . .  ,ir    .) 

1  'j=l   ]      lj  nj'         mj=1UBj      lj'  nj 

and 

(5.2.4)     nJ:1bLB1(P1J,....Pllj)  <-  TTj:1hj(P1:j,...,Pnj) 

hold.   Therefore  p  <  TTpITR  from  (5.1.1),  (5.2.1)  and  Theorem  5.1,  and 

p_,TTl  <  p  from  (5.1.2),  (5.2.2)  and  Theorem  5.1.  Q 
JtJ_i.d 

It  is  easy  to  see  that  if  a  different  choice  of  component  reliabi- 
lities is  made,  i.e.  if  the  (unconditional)  component  reliabilities 
are  used  with  the  phase  minimal  path  upper  bounds,  or  the  conditional 
component  phase  reliabilities  with  the  phase  minimal  cut  lower  bounds, 
the  resulting  approximations  are  not  bounds.   For  a  mission  with  m=l 
phases,  obviously 

TTj=ihUBj<Plj--"Pnj)  "  P  "  TT^Abj^Ij'-'"^^' 

and  strict  inequality  may  hold.   On  the  other  hand,  for  a  phased  mission 
with  the  block  diagram 


A3 


-B- 


c, 


cz 


phase  I  phase  2 

the  exact  mission  reliability  and  the  approximations  are,  in  the 
established  notation, 

P  -  P12P22  =  TTll7r12  ^21^22' 

"T"T  2 
Hj=lhLBj(77lj'7T2j)  =  ^11^12^22' 

T"fj=lhUBj(plj'p2j)  =  pllp12p22  =  ^11*11*12*21*22' 

so  that  lTj=i^JBj<Plj'P2j)  *  P  s  TTj^Bj^lj'^j^   and  Strict 
inequality  holds  if   0<it,  .<1,  k=l,2,  j=l,2. 

As  before,  cut  cancellation  can  be  performed  prior  to  implementing 

the  approximations  (5.2.1)  and  (5.2.2).   The  resulting  approximations 

corresponding  to   7rpuB  and   ppLB  are 

(5.2.5)  TrpUBr_cc  =  TTj^i^Bj  (*lj  '  *  *  '  *  Vj } 
and 

(5.2.6)  PpLB-CC  =  TTj-i^Bj  (pl j  ' "  *  '  '  pnj  }  ' 

where  Ir  .   and  II  .   denote  the  minimal  path  upper  bound  and  the 
minimal  cut  lower  bound,  respectively,  for  the  simplified  configuration 
of  phase  j,  j=l,...,m.   Theorem  5.4  establishes  that  these  approximations 
are  bounds. 

Theorem  5.4.   For  TrpuB^cc  as  given  by  (5.2.5),   PpLB_cc  as  given 
by  (5.2.6),  and  p  as  given  by  (2.3.1)  or  (3.3.1),  PpLB_cc  -  P  -  ^pub-CC 

Proof.   The  simplified  phase  configurations  are  coherent,  thus 
tij-n.  ^  h.  <  ^i]R- >  J=l»--'>m>   hy  construction  and  the  inequalities 
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(5.2.7)  TT  ™  hTCir,.,...,*    .)   <  IT ,h~    -<>i  .....,ir    .) 
Mj=l  j      lj'  nj  mj=1UBj      lj'  nj 

and 

(5.2.8)  TTj!1\Bj^lj"--^nj>    *  njVjO.jjM..^) 

hold.   Therefore   p   <  n    __   from  (5.1.4),  (5.2.5)  and  Theorem 

5.2,  and   p       5  p   from  (5.1.5),  (5.2.6)  and  Theorem  5.2.  q 

Bounds   ir_rt_  „„      and   p_T   __   are  the  last  to  be  considered  here, 
1 UB— GC  rJ-iU— C(_. 

although  additional  ones  certainly  could  be  found.   Attention  is  now 
turned  to  a  comparison  and  assessment  of  the  bounds. 


5.3   COMPARISON  AND  ASSESSMENT  OF  THE  BOUNDS 

The  bounds  presented  in  the  previous  two  sections  differ  from 
each  other  in  several  respects,  and  it  is  not  obvious  which  of  them  are 
suited  best  for  a  specific  phased  mission  problem.   It  is  therefore 
necessary  to  compare  and  assess  them.   From  an  applications  point  of 
view,  the  most  significant  criteria  on  which  to  base  comparisons  of 
bounds  are  felt  to  be  precision,  i.e.  closeness  to  the  exact  reliability, 
and  computational  effort,  i.e.  cost  of  calculation.   These  criteria 
will  be  addressed  in  turn. 

For  single-phase  systems,  in  order  to  obtain  a  rough  idea  of  how 
system  reliability  responds  to  the  achievement  of  a  general,  across- 
the-board  level  of  component  reliability,  and  to  get  an  indication  of 
the  precision  of  bounds,  it  is  often  assumed  that  all  components  have 
the  same  probability  of  functioning.   Then  system  reliability  is  a 
function  of  a  single  variable  -  component  reliability  -  and  can  easily 
be  exhibited.   To  use  a  similar  approach  for  a  system  performing  a 
phased  mission,  i.e.  to  assume  that  all  conditional  component  phase 
reliabilities  are  equal,  is  somewhat  more  questionable  but  may  still 


45 


provide  an  indication  of  the  precision  of  bounds  on  mission  reliability. 
The  following  example  demonstrates  this. 

Example  5.1.   Assume  that  in  the  mission  of  Example  1.1  all  compo- 
nents have  the  same  conditional  phase  reliability   tt   in  all  phases, 
and  consequently  the  same  unconditional  reliabilities   p  .=tt    in  phase 
j,  j=l,2,3.   Then  the  exact  mission  reliability  and  the  bounds  on 
mission  reliability,  as  a  function  of  tt,   take  on  the  numerical  values 
given  in  Tables  5.1  and  5.2  below. 

The  tables  show  that  for  component  reliabilities  close  to  one, 
the  lower  bounds  approximate  the  exact  mission  reliability  quite  closely 
whereas  the  same  is  not  true  for  the  upper  bounds.   This  fact  has  been 
observed  frequently  in  single  phase  systems. 


TT 

P 

"FRF 

^TRF-CC 

"pub 

^PUB-CC 

0.40 

0.002 

0.025 

0.058 

0.036 

0.077 

0.50 

0.011 

0.078 

0.141 

0.119 

0.190 

0.60 

0.045 

0.187 

0.274 

0.284 

0.366 

0.70 

0.137 

0.364 

0.454 

0.526 

0.584 

0.80 

0.337 

0.596 

0.661 

0.782 

0.797 

0.90 

0.668 

0.834 

0.857 

0.955 

0.948 

0.95 

0.854 

0.932 

0.938 

0.991 

0.987 

0.99 

0.978 

0.989 

0.990 

1.000 

0.999 

Table  5.1.   Exact  mission  reliability  and  upper 

bounds  for  the  mission  of  Example  1.1, 


46 


TT 

P 

PPRF 

PPRF-CC 

PPLB 

PPLB-CC 

0.40 

0.002 

0.0464 

0.0336 

0.0530 

0.0457    39 

0.50 

0.011 

0.001 

0.004 

0.000 

0.001 

0.60 

0.045 

0.009 

0.021 

0.003 

0.010 

0.70 

0.137 

0.055 

0.090 

0.030 

0.061 

0.80 

0.337 

0.217 

0.277 

0.172 

0.236 

0.90 

0.668 

0.590 

0.633 

0.566 

0.615 

0.95 

0.854 

0.826 

0.842 

0.820 

0.838 

0.99 

0.978 

0.976 

0.977 

0.976 

0.977 

Table  5.2.   Exact  mission  reliability  and  lower 

bounds  for  the  mission  of  Example  1.1.  o 


The  order  among  the  bounds  exhibited  in  Tables  5.1  and  5.2  is  no 
coincidence  and  does  not  only  hold  for  this  particular  example.   The 
next  theorem  establishes  some  inequalities  which  are  always  valid. 

Theorem  5.5.   For  the  bounds  as  given  by  (5.1.1),  (5.1.2),  (5.1.4) 
(5.1.5),  (5.2.1),  (5.2.2),  (5.2.5),  and  (5.2.6),  and  p  as  given  by 
(2.3.1)  or  (3.3.1),  the  following  inequalities  hold. 


5  PPLB-CC  <         <   <      ~   ^PRF-CC  ~   ^PUB-CC 
PPLB  _         "  PPRF-CC  "  p  -  ^PRF  _ 

~  PPRF  ~  PUB 


Proof.   The  proof  consists  of  a  separate  demonstration  for  each 
inequality. 

(1)  p  5  TT^r,^  by  Theorem  5.1. 

(2)  PPRF_CC  -  P  W  Theorem  5.2. 

(3)  TipRF  <  TrpuB  from    (5.1.1),    (5.2.1),    and    (5.2.3). 
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(4)  ppLB  5  ppRF      from    (5.1.2),    (5.2.2),    and    (5.2.4). 

(5)  ttprf_cc  S  ttpub_cc      from    (5.1.4),    (5.2.5),    and    (5.2.7). 

(6)  PpLg.cc   S  PpRF^c      from    (5.1.5),    (5.2.6),    and    (5.2.8). 

(7)  TTpRF  5  TTpRf_cc      from    (5.1.1),    (5.1.4),    and    (5.1.6). 

(8)  ppRp  <  PpRjF_cc      from    C4.2.4),    (5.1.2),    and    (5.1.5). 

Finally,    since     <j> .    5  <b .  ,    j=l,...,m,      from    (4.2.4)    and    thus 
hj^g.    <  ^Bi'    J=1'-"»m»      the   inequality 

nj!ihLBj(Pij--"%j)  -  TTj=1\Bj(plj,...,pnj) 

holds,  so  that 

(9)  PPLB  -  PPLB_CC  from  (5-2.2)   and  (5.2.6).  a 

No  general  inequalities  can  be  established  between  tt        and 

PRF— LC 

Tr._Tin,   and  between  p        and  p,,^.   This  is  not  too  surprising. 
In  the  case  of  the  two  upper  bounds,  both  cut  cancellation  and  the  use 
of  phase  upper  bounds  instead  of  phase  reliability  functions  increase 
the  apparent  phase  reliabilities;  and  in  the  case  of  the  two  lower 
bounds,  cut  cancellation  and  the  use  of  phase  lower  bounds  instead  of 
phase  reliability  functions  tend  to  balance  each  other.   More  formally, 
consider  first  a  system  where  no  cut  cancellation  is  possible,  i.e. 

♦J-f,.  3-1 m.   ^   V^YV)   f°r  S°me  j'   th6n  *PRF-CC<1TPUB 

from  (5.2.3),  and  p      <p     from  (5.2.4).   Next,  consider  a  system 

with  II   =h.=tL     for  j=l,...,m.   If  cuts  can  be  cancelled  in  any  one 

phase,  i.e.  if   <l>7><|>.   for  some   j,   then  1TpRF_cc>7rPUB  and 

40 

Pdt  T3  f.p>PT)Dr   from  (4.2.4).     The  relative  magnitudes  of  these  four 

bounds,  however,  may  not  only  depend  on  the  structure  of  the  system 

under  consideration,  but  also  on  the  values  of  the  component  reliabilities. 
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This  is  the  case  in  the  system  of  Example  1.1  and  can  be  seen  by 

comparing  the  values  of   TrpRF_cc,  tt^,  PpLB_cc   and   ppRF   for 

tt=0.4   and   tt=0.8  in  Tables  5.1  and  5.2. 

The  fact  that   it™.,,   and   tt™,.,  „„   also  cannot  be  compared  is 
rUli         cud— CL. 

somewhat  counter-intuitive  and  unexpected,  because  it  causes  an  un- 
symmetry  in  the  string  of  inequalities  of  Theorem  5.5.   However,  it 
can  be  shown  that  even  two  single-phase  systems  with  structure  func- 
tions  $-   and   (J>„,  <j>-.>cf>9,   may  have  minimal  path  upper  bounds  II 
and   Vl     such  that   ?l   <Il   .   An  example  is  a  one-out-of-two 
system  and  a  two-out-of-three  system  where  all  components  have  the 
same  reliability  p.   In  that  case,   II  . (p) >Vl  „ (p)   for  0<p<0.8, 
and   II   (p) <h    (p)   for   0.9<p<l.   The  mission  of  Example  1.1  shows 
a  similar  behavior,  as  can  be  seen  by  comparing  the  values  of  TrmTT> 

rUB 

and  if-njTo   nn      for   tt=0.8   and   tt=0.9   in  Table  5.1. 
rU D— CL 

As  far  as  the  computational  effort  required  to  calculate  bounds 

is  concerned,  only  a  few  statements  valid  in  general  can  be  made.   One 

41 
is  that  for  any  system  performing  a  phased  mission,  less   effort  is 

required  to  compute  the  m   phase  reliability  functions  separately  than 

to  compute  the  reliability  function  of  the  equivalent  system;  another, 

that  phase  bounds  are  easier  to  calculate  then  phase  reliability 

functions.   Cut  cancellation  simplifies  all  reliability  calculations, 

but  requires  computational  effort  to  be  performed.   This  may  be  minimal 

in  some  cases  (in  particular  when  phase  minimal  cut  lower  bounds  are 

used  because  then  the  minimal  cuts  of  all  phases  have  to  be  known 

explicitly),  but  cannot  be  neglected  totally.   On  the  whole,  however, 

it  is  felt  that  the  benefits  of  cut  cancellation  outweigh  its  costs. 
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The  diagram  below  is  an  attempt  to  summarize  the  previous  obser- 
vations.  Its  comparisons  may  not  hold  in  all  cases,  but  do  indicate 
what  is  usually  true.   The  symbol  <   stands  for  "requires  less  com- 
putational effort  than." 


^PUB-CC  "   "PUB  "*   ^PRF-CC  <      ^PRF 


PPLB-CC  <   PPLB  *   PPRF-CC  "*   PPRF 


Figure  5.1.   A  comparison  of  the  computational 

effort  required  to  calculate  bounds. 


5. A   AN  ALGORITHM  FOR  THE  "BEST"  BOUND 

Trying  to  select  the  best  bound  from  those  presented  in  this 
chapter  is  a  difficult  problem  whose  solution  depends  on  the  circum- 
stances of  each  particular  application  and  cannot  be  given  in  general. 
If  one  is  interested  in  a  conservative  rather  than  an  optimistic 
approximation,  and  if  the  system  to  be  analyzed  has  components  with 
uniformly  high  conditional  reliabilities  in  all  phases,  then  the  quali- 
tative comparisons  of  the  previous  section  and  the  numerical  values 
of  Example  5.1  suggest  that  p        is  a  good  choice. 

Since  the  above  conditions  are  frequently  encountered,  and 
p        hence  might  be  used  more  often  than  other  bounds,  an  algorithm 
for  its  computation  is  given  below.   This  algorithm  assumes  that  the 
survival  function  F  (t)  =  P[T  >t] ,  t>0,   is  known  for  each  component 
C,  ,  k=l,...,n,   that  each  phase  configuration  is  represented  by  a 
block  diagram  or  a  fault  tree,  and  that  the  duration  of  the  phases  and 
thus  the  times   t.,  j=l,...,m,   are  given. 
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Algorithm  for  Computing   PpLB_cc- 

42 

(1)  For   k=l,...,n  and   j=l,...,m,   compute   p    from 

(2)  For   j=l,...,m,   find  the  minimal  cut  sets  of  phase  j   from 

43 

the  block  diagram  or  the  fault  tree  for  that  phase. 

(3)  Perform  cut  cancellation  according  to  the  rule  given  in 
Section  4.2. 

(4)  For  j=l,...,m,  denote  the  number  of  minimal  cut  sets 
remaining  in  phase  j  by  K(j),  and  the  i-th  minimal 
cut  set  in  that  phase  by  K..,  i=l,  .  . .  ,K(j)  .   Then  compute 

PPLB-CC   £r°m 

Wc-TT^TT^ii-TW.a-Py)]. 

k  jx 

The  following  example  illustrates  how  the  algorithm  works. 

Example  5.2.   Suppose  that  for  the  mission  of  Example  1.1,  a 
general  expression  for  the  lower  bound  p        is  wanted.  Using 
the  algorithm  described  above,  the  following  results  are  obtained: 

(2)  The  minimal  cut  sets  are 
in  phase  1   #{M,L}//  {M,S} 

in  phase  2   {F}  //{H,M}#  #{H,T}#  {M,L} 
in  phase  3   {F,M}  {H,M}  {H,T} 

(3)  The  cut  sets  marked  //{  }#  above  are  cancelled. 

(4)  The  minimal  cut  sets  remaining  are  denoted  by 


K1L  =  M,S},  K21  =  (F),   K22  =  {M,U 


K31  =  {F,M},  K32  =  {H,M},  K33  =  {H,T}, 
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and  the  bound   p        Is  given  by 


PpLB-CC  "  U-(1-PM1)(1-PS1)]I1-(1-PF2)] 

*[i-u-pm2)  Ci-pL2)]Ii-(i-PF3)  (i-Pjq)] 

*U-(i-ph3)(i-pm3)][i-(i-ph3)(i-pt3)].  D 

This  concludes  the  discussion  of  bounds  based  on  reliabilities 
directly.   In  the  next  chapter,  a  reliability  transformation  is  pre- 
sented which  permits  the  derivation  of  additional  approximations  and 
bounds . 
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6.   HAZARD  TRANSFORMS  FOR  PHASED  MISSIONS 

Recently,  Esary  and  Hayne  [1973]  extended  the  scope  of  application 
of  a  simple  reliability  calculus  of  Rubinstein  [1961,  1965]  to  coherent 
systems.   This  calculus  uses  an  approximate  hazard  transform  and  leads 
to  conservative  approximations  to  system  reliability.   Its  potential 
for  use  in  the  phased  mission  problem  is  explored  here. 

6.1  AN  APPROXIMATE  HAZARD  TRANSFORM 

The  hazard  transform  of  a  system  with  reliability  function 
h(p.,...,p  )   is  defined  as 

HCu^,..-.  ,un)  =  -log  hCp^...^)  =  -log  h(e~ul e"Un) , 

where  u  =  -log  p,   is  the  component  hazard  of  component  C,   having 
reliability  p,  ,  k=l,...,n.   Knowing  the  hazard  transform  of  a  system 
is  equivalent  to  knowing  its  reliability  function  since 

h(pr...,Pn)  =  e^V-'-'V  =  e-H(-log  Pi- ---log  Pn>. 

The  assumption  that  components  perform  independently  is  implicit  in  the 
definition  of  a  hazard  function,  just  as  it  is  in  the  definition  of  a 
reliability  function. 

The  approximate  hazard  transform  H'  considered  by  Esary  and  Hayne 
can  be  defined  by  the  following  rules: 

(1)   For  a  system  consisting  of  a  single  component  C,  ,   the 

approximate  hazard  transform  is  equal  to  the  component  hazard, 
i.e. 
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(2)   For  a  system  which  is  a  combination  of  two  modules  (subsystems 
with  disjoint  sets  of  components)  having  approximate  hazard 
transforms  H'   and  H' ,   the  approximate  hazard  transform 
H'   is 

H'  =  H'  +  H'   if  the  combination  is  series, 
H'  =  H'H'   if  the  combination  is  parallel. 
So  far,  the  rules  define  the  approximate  hazard  transform  only  for 
systems  that  can  be  formed  by  successive  series  and  parallel  combina- 
tions of  subsystems  which  have  no  components  in  common,  i.e.  for  the 
class  of  simple  systems  considered  by  Lomnicki  [1973] .   To  extend  the 
definition  to  systems  which  are  coherent  but  not  necessarily  simple, 
a  third  rule  is  needed.   This  rule  makes  use  of  the  fact  that  any 
coherent  system  can  be  represented  in  terms  of  its  minimal  cut  sets. 

whose  approximate  hazard  transforms  are  H' , . . . ,H' ,   the 
approximate  hazard  transform  H'   is 

H'  =  H'  +  H^  +  ...+  H< 

44 
Esary  and  Hayne  show   that  the  approximate  hazard  transform 

obtained  in  this  way  is  conservative,  i.e.  indicates  greater  system 

hazard  (less  system  reliability)  than  the  exact  transform.   For  further 

reference,  this  fact  is  noted  as  a  theorem. 

Theorem  6.1.   For  a  coherent  system  with  reliability  function  h, 

hazard  transform  H,   and  approximate  hazard  transform  H'   obtained 

according  to  the  rules  above,   H'  >  H,   and  consequently  h1  <  h,   where 

h'  =  e   .  d 


(3)   For  a  coherent  system  with  minimal  cut  sets  K_,...,L 
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6.2  APPLICATION  OF  THE  APPROXIMATE  HAZARD  TRANSFORM  TO  THE  PHASED 
MISSION  PROBLEM 

Several  approximations  to  the  mission  reliability  of  a  multi- 
phased  system  can  be  derived  using  the  approximate  hazard  transform 
defined  in  the  previous  section.   One  of  them  is  discussed  here  in 
detail. 

Suppose  that  cut  cancellation  has  already  been  performed  in  a 
phased  mission.   Let  Hi   be  the  approximate  hazard  transform  of  the 
simplified  configuration  of  phase  j,  j=l,...,m,   and  define  an  approxi- 
mate hazard  transform  for  the  mission,   H' ,   by 

(6.2.1)  H'  =  Hi  +  H'  +...+  H'. 

12m 

Then  h'   given  by 

(6.2.2)  h1  =  e  n     =  e  ^1  '  "2  V 

is  a  conservative  approximation  to  the  mission  reliability  p,   as  is 
proved  in  the  following  theorem. 

Theorem  6.2.   For  h'   as  given  by  (6.2.2)  and  p  as  given  by 
(2.3.1)  or  (3.3.1),   h"  5  p. 

Proof.   Let  h!=e~j,   j=l,...,m.   Then  h'  =TT-=ih-   from 
(6.2.1)  and  (6.2.2).   Since  the  phase  configurations  are  coherent,  then 
h'  5  hT,   j=l,...,m,   by  Theorem  6.1.   Therefore,   "T-=in-  -  TT-=in~> 
and  the  result  follows  from  (5.1.5)  and  Theorem  5.2.  □ 

An  algorithm  for  computing  h'   consists  of  the  following  steps, 
where  the  notation  of  Section  5.4  is  used: 

(1)   For  k=l,...,n  and  j=l,...,m,   compute  u    from 

ukj  =  ~log  pkj  =  "log  W' 
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(2)  For  j=l,...,m,   find  the  minimal  cut  sets  of  phase  j 
from  the  block  diagram  or  the  fault  tree  for  that  phase. 

(3)  Perform  cut  cancellation  according  to  the  rule  of  Section  4.2. 

(4)  Compute  the  approximate  hazard  transform  for  the  mission  from 

m  K(j) 
*'=  I   I     TTC  K..u 
j=l  i=l    k  ji 

(5)  Compute  the  lower  bound  h'   from 

h'  =  e 

A  comparison  of  this  algorithm  with  the  one  presented  in  Section 
5.4  indicates  that  the  calculations  of  the  bounds  h'   and   p_,T  D  __ 
require  about  the  same  amount  of  effort.   Both  are  conservative,  but 
h'   is  less  precise  than   p      ,   as  is  established  in  Theorem 
6.3  below.   It  is  therefore  questionable  from  an  applications  point  of 
view  whether  h'   can  replace  p        as  the  "best"  lower  bound  for 
a  phased  mission.   However,  if  all  components  of  a  system  are  assumed 
to  have  constant  failure  rates  throughout  each  phase  -  as  is  often 
done  for  lack  of  better  information  about  the  distributions  of  the 
components'  time  to  failures  -  the  approximate  hazard  transform  H' 
has  the  attractive  feature  that  it  is  a  polynomial  in  all  of  the  phase 
durations.   Thus  it  is  well  suited  for  parametric  studies.   An  illustra- 
tion for  this  is  given  after  the  assertion  about  the  relative  precision 
of  h'   and  p_.T  „     has  been  proved. 

Theorem  6.3.   For  h'   as  given  by  (6.2.2),  and  p        as 
given  by  (5.2.6),   h'  5  PpLB_cc- 

Proof.   It  suffices  to  note  that  in  the  calculation  of  p  T „  „„, 
the  exact  reliability  of  each  parallel  subsystem  corresponding  to  a 
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minimal  cut  set  is  used,  whereas  in  the  case  of  h1 ,   as  a  consequence 
of  Theorem  6.1,  a  conservative  approximation  to  the  reliability  of  each 
such  subsystem  is  the  basis  for  the  calculation.   The  result  then 
follows  from  the  fact  that  all  other  steps  of  the  computation  are 
equivalent.  □ 

Example  6.1.   Consider  the  mission  of  Example  1.1.   Assume  that 
the  failure  rate  of  component   k  in  phase  j   is  a  constant   r  . , 
k=F,H,L,M,S,T,   j=l,2,3,   and  let  d.   be  the  duration  of  phase  j, 
j=l,2,3.   Then  from  step  (1)  of  the  algorithm  above,  the  component 
hazards  are 

u,  .  =  r,  -d..  +.  . .+  r,  .d  . , 
kj    kl  1        kj  j' 

and  the  following  general  expression  for  the  approximate  hazard 

45 
transform  of  the  mission  is  obtained  from  step  (4)  of  the  algorithm: 


H'  =  rMldlrSldl 

+  (rFldl+rF2d2)  +  (rMldl+rM2d2) (rLldl+rL2d2) 

+  (rFidi+rF2d2+rF3d3) (rMldl+rM2d2+rM3d3) 

+  (rHldl+rH2d2+rH3d3) (rMldl+rM2d2+rM3d3) 

+  (rHldl+rH2d2+rH3d3)(rTldl+rT2d2+rT3d3)' 

Now  suppose  that  the  duration  of  phase  2,  d„,  is  uncertain,  and 
that  a  sensitivity  analysis  on  it  is  desired.   H'   as  a  function  of  d„ 
can  be  written  as 


(6.2.3)  H'(d2)  =  a  +  b*d2  +  c*d2' 


where 
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a  =  VirSldl  +  rFldl  +  rMldirLldl 


+  (rFldl+rF3d3)(rMldl+rM3d3) 
+  (rMldl+rM3d3)(rHldl+rH3d3) 


+  (rHldl+rH3d3)(rTldl+rT3d3)' 


b  =  rF2(1+rMldl+rM3d3) 


+  rH2(rMldl+rM3d3+rTldl+rT3d3) 

+  rM2 (rLldl+rFldl+rF3d3+rHldl+rH3d3) 


+rL2rMldl+rT2(rHldl+rH3d3)' 


C   rM2rL2+rF2rM2+rH2rM2+rH2rT2 ' 


For  a  numerical  illustration,  assume  that  phase  1  lasts  30  minutes 

and  phase  3  lasts  10  hours,  and  that  the  following  failure  rates  (in 
hours  )  are  given: 

Component     F        H        L        M  S  T 

Phase  1    0.000    0.001  0.040    0.020  0.100    0.000 

Phase  2    0.020    0.003  0.010    0.006  -        0.020 

Phase  3    0.010    0.002  -        0.005  -        0.020 


Then 

a  =  0.012030, 

b  =  0.023333  hours"1, 

_2 
c  =  0.000258  hours   . 

For  various  durations  of  phase  2  (in  hours) ,  the  approximate  hazard  trans- 
form  for  the  mission,   H' ,  and  the  lower  bound  on  mission  reliability 
hf ,   both  rounded  to  three  decimals,  are  shown  below. 
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H' 


0 

0.012 

Q.988 

1 

0.036 

0.965 

2 

0.060 

0.942 

3 

0.084 

0.919 

4 

0.109 

0.896 

5 

0.135 

0.874 

6 

0.161 

0.851 

7 

0.188 

0.829 

8 

0.215 

0.806 

9 

0.243 

0.784 

10 

0.271 

0.763     a 
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7.   POSSIBLE  EXTENSIONS  AND  REMAINING  PROBLEMS 

It  was  shown  in  this  thesis  how,  under  suitable  assumptions,  the 
phased  mission  problem  can  be  formulated  mathematically  and  transformed 
into  an  equivalent  single-phase  problem,  and  how  exact  mission  reliabili- 
ties and  approximations  to  them  can  be  computed.   The  assumptions  made, 
however,  may  not  always  be  satisfied  by  realistic  systems  and  missions 

which  have  to  be  analyzed.   In  particular,  components  may  not  perform 
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independently,    failed  components  may  be  replaced,  and  the  durations 

of  the  phases  may  not  be  known  in  advance. 

47 
Systems  with  interdependent  components  have  been  studied,    but 

so  far  no  generally  valid  methods  to  model  them  seem  to  be  available. 

In  certain  situations  an  approach  similar  to  the  one  described  in 

Chapter  3,  i.e.  the  transformation  of  a  system  with  interdependent 

components  into  an  equivalent  system  whose  synthetic  components  perform 

independently,  may  be  feasible.   Another  approach  might  make  use  of  the 

fact  that  several  theorems  on  which  lower  bounds  are  based  remain  valid 

when  component  performances  are  positively  dependent  in  the  sense  of 

•  -•   48 
association. 

As  far  as  a  replacement  of  failed  components  is  concerned,  it  is 
felt  that  this  feature  can  be  incorporated  into  the  model  without 
causing  major  problems.   If  replacement  is  instantaneous  at  failure, 
it  might  simply  be  considered  in  the  component's  time  to  failure  dis- 
tribution; if  replacement  can  occur  only  at  the  end  of  a  phase,  then 
the  equivalent  system  may  be  modified  to  reflect  this  fact. 

Example  6.1  indicated  how  uncertainties  in  the  duration  of  the 
phases  can  be  dealt  with  if  component  failure,  rates  are  constant 
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throughout  the  phases.   Under  these  circumstances,  and  if  phase 
durations  are  assumed  to  be  random,  the  mean  of  the  approximate  hazard 

transform  for  the  mission  can  be  found,  even  without  complete  knowledge 

49 

of  the  phase  durations'  distributions. 

As  a  final  comment  on  the  phased  mission  problem,  it  should  be 
pointed  out  that  even  if  all  the  extensions  mentioned  above  can  be 
incorporated  into  a  model,  practical  use  of  it  can  only  be  made  if  all 
the  necessary  inputs  are  available.   These  inputs,  the  component  relia- 
bilities on  one  hand,  and  the  functional  organization  of  the  system  in 
the  various  phases  of  its  mission  on  the  other,  are  not  always  easy  to 
obtain. 
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COMMENTS  AND  NOTES 

This  term  is  used  by  Barlow  and  Proschan  [1965]. 

2 

This  definition  of  reliability  is  due  to  the  Radio-Electronics 

Television  Manufacturers  Association  [1955],  as  cited  in  Barlow  and 
Proschan  [1965],  p.  6,  and  is  widely  accepted. 

3 

Roughly,  a  system  is  coherent  if  its  "performance  is  not  impaired 

by  an  improvement  in  the  performance  of  its  components"  [Esary  and 
Marshall  1964,  p.  459].   All  two-terminal  networks  and  all  systems 
whose  functional  organization  can  be  represented  by  a  fault  tree  using 
AND  and  OR  gates  only  are  coherent.  -  Barlow  and  Proschan  [1965]  use 
the  term  "monotonic"  instead,  but  "coherent"  seems  to  be  more  widely 
accepted  and  will  be  used  in  this  thesis. 

This  approach  was  used  before  by  Mine  [1959]. 

Barlow  and  Proschan  [1965],  pp.  196f. 

"Roughly... a  device  has  a  life  if  it  functions  continuously  until 
some  time  of  failure,  and  remains  failed  thereafter."   [Esary  and 
Marshall  1964,  p.  459.] 

Among  these  are:  components  perform  independently  -  components 
have  exponential  lives  -  only  two  states  are  recognized  for  components 
and  systems. 

g 

The  method  is  described  in  Chapter  4. 

9 

The  manual  section  on  phased  missions  is  based  on  the  work  of  C. 

Persels. 

Success  paths  and  Muth's  approach  are  briefly  discussed  in  Section 
1.4. 

Cf.  the  definition  given  above  in  Note  6. 

12 

In  the  military,  for  instance,  a  communication  network,  the  power 

plant  of  a  ship,  and  a  mine  are  systems  which  may  be  required  to  perform 
phased  missions. 

13 

Apologies  are  extended  for  this  example  to  all  firemen  and  all 

chemical  engineers. 

14 

Esary  and  Marshall  [1964],  Theorem  3.1,  p.  461. 

15  Muth  [1964],  p.  2. 
16 


Rubin  [1964],  p.  263. 
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Expressing  the  life  length  as  a  random  variable  also  permits 
by  the  proper  choice  of  its  distribution  function,  taking  into  account 
the  operating  conditions  (the  environment)  which  the  system  encounters. 

18 

This  is  one  of  the  classic  assumptions  mentioned  before  which  are 

not  very  realistic  but  without  which  an  exact  reliability  analysis  is 

currently  impossible. 

19 

An  example  for  a  system  which  violates  this  assumption  is  an 

HF-communication  network.   Here  the  atmospheric  conditions  play  an 
important  factor  in  determining  whether  the  system  functions  or  not. 

20 

A  block  diagram  is  a  graphical  model  of  the  functional  organiza- 
tion of  components  in  a  system.   It  provides  a  positive  view  of  the 
system  in  that  it  indicates  the  combinations  of  functioning  components 
which  guarantee  the  functioning  of  the  system. 

21 

A  fault  tree  is  also  a  graphical  model  of  the  functional  organi- 
zation of  a  system,  but  in  contrast  to  a  block  diagram  it  provides  a 
negative  view  of  the  system  because  it  indicates  which  combination  of 
failed  components  cause  failure  of  the  system. 

22 

Almost  all  engineering  system  are  coherent.   A  ship  with  two 

captains  could  be  an  example  for  a  system  which  is  not  coherent. 
Generally,  an  EXCLUSIVE  OR  gate  in  a  fault  tree  indicates  a  non-coherent 
system. 

23 

This  follows  immediately  from  the  definition;  cf.  Esary  and 

Proschan  [1963],  p.  192. 

24 

Birnbaum,  Esary,  and  Saunders  [1961],  pp.  66f. 

25 

Esary  and  Marshall  [1964],  Theorem  3.1,  p.  461. 

26  1 

Cf.  Figure  3.1.   Component  M  ,   for  instance,  is  common  to  all 

three  subsystems. 

27 

Such  computational  methods  are,  for  instance,  the  inclusion- 
exclusion  algorithm  and  pivotal  decomposition. 

28 

Cf.  Fussell  and  Vesely  [1972]  and  Vesely  and  Narum  [1970]  who 

describe  programs  for  the  analysis  of  fault  trees. 

29 

Barlow  and  Proschan  [197_]  Chapter  1,  or  Birnbaum,  Esary,  and 

Saunders  [1961],  Theorem  2.7.7.1,  p.  65. 

30 

Note,  however,  that  as  a  result  of  cut  cancellation  the  relia- 
bility of  each  phase  configuration  considered  by  itself  increases. 

31 

Cf.  Examples  1.2  and  3.1  and  the  paragraphs  preceding  them. 

32 

The  subscript  PRF  is  used  mnemonically  to  indicate  that  these 

approximations  are  based  on  the  phase  reliability  functions. 
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33 

These  are  discussed,  for  instance,  in  Barlow  and  Proschan 

[19 7 ] ,  Chapter  2,  and  in  Esary,  Proschan,  and  Walkup  [1967].   From 

the  latter  paper,  Theorem  2.1,  Theorem  4.1,  and  Property  (P4)  are  needed 
in  this  proof. 

34 

Association  is  a  special  kind  of  positive  dependence  among 

several  random  variables.   Performance  state  indicator  variables  are 
associated  if  the  structure  functions  of  any  two  coherent  systems 
built  from  their  corresponding  components  are  positively  correlated. 

35 

The  added  subscript   CC   indicates  that  cut  cancellation  has 

been  performed. 

36 

Cf.  the  second  part  of  the  proof  of  Theorem  5.1. 

37 

A  detailed  discussion  of  these  bounds  and  proofs  are  given  in 

Esary  and  Proschan  [1963],  Section  4,  pp.  194-197. 

38 

The  subscript  PUB  stands  for  phase  upper  bounds,  and  the  sub- 
script PLB  for  phase  lower  bounds. 

39  i 

The  abbreviation  0.CP64   stands   for  0.000064. 

40 

It  is  assumed  here  that  all  conditional  component  phase  relia- 
bilities are  strictly  positive  and  less  than  one. 

41 

Terms  which  indicate  a  comparison  are  used  here  in  the  weak 

sense,  i.e.  "less"  stands  for  "not  more". 

42 

Step  (1)  can  be  omitted  if  a  general  expression  for  the  bound 

rather  than  a  numerical  value  for  it  is  needed. 

43 

There  exist  computer  programs  which  can  perform  this  step. 

MOCUS,  for  instance,  developed  by  Fussell,  Henry,  and  Marshall  [1974], 
is  a  program  that  finds  the  minimal  cut  sets  of  a  system  from  its 
fault  tree. 

44 

Esary  and  Hayne  [1973],  Theorem  2.5,  p.  12. 

45 

Steps  (2)  and  (3)  of  the  algorithm  are  the  same  as  in  Example 

5.2  and  not  repeated  here. 

46 

Interdependence  among  components  may  be  caused,  for  instance, 

by  common  manufacturing  processes  or  common  operating  conditions,  or 
because  the  failure  of  one  component  increases  the  load  on  its  neighbor. 

47 

For  instance  by  Esary  and  Marshall  [1974] . 

48 

Cf.  Remark  2.4  in  Esary  and  Hayne  [1973],  p.  11. 

49 

Equation  (6.2.3)  shows  that  for  the  particular  mission  considered 

E  H' (D?)  depends  only  on  the  first  two  moments  of  the  random  variable 

V 
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